| 
  
    | 
	|  | Menu |  |  
     
     | 
      
       | 
        
         | 
          
           | 
						|  |  |  Home |  |  |  |  |  |  |  |  Discussions |  |  |  |  |  |  |  |  Tools |  |  |  |  |  |  |  |  Affiliates |  |  |  |  |  |  |  |  Content |  |  |  |  |  |  |  |  Info |  |  |  |  |  |  |  |  |  |  
  
    | 
	|  | User Info |  |  
     
     | 
      
       | 
        
         | 
          
           |  Membership: 
  Latest: MichaelSnaRe 
  New Today: 0 
  New Yesterday: 0 
  Overall: 9144 
 
  People Online: 
  Visitors: 293 
  Members: 0 
  Total: 293 
 |  |  |  |  |  
  
    | 
	|  | Full disclosure |  |  
     
     | 
      
       | 
        
         | 
          
           | CyberDanube Security Research 20251014-0 | Multiple Vulnerabilities in Phoenix Contact QUINT4 UPS apis.google.com - Insecure redirect via __lu parameter(exploited in the wild)
 Urgent Security Vulnerabilities Discovered in Mercku Routers Model M6a
 Re: Security Advisory: Multiple High-Severity Vulnerabilities in Suno.com (JWT Leakage, IDOR, DoS)
 Security Advisory: Multiple High-Severity Vulnerabilities in Suno.com (JWT Leakage, IDOR, DoS)
 [SBA-ADV-20250730-01] CVE-2025-39664: Checkmk Path Traversal
 [SBA-ADV-20250724-01] CVE-2025-32919: Checkmk Agent Privilege Escalation via Insecure Temporary Files
 CVE-2025-59397 - Open Web Analytics SQL Injection
 Re: [FD]Full Disclosure: CVE-2025-31200 & CVE-2025-31201 – 0-Click iMessage Chain ? Secure Enclave Key Theft, Wormable RCE, Crypto Theft
 Re: Full Disclosure: CVE-2025-31200 & CVE-2025-31201 – 0-Click iMessage Chain ? Secure Enclave Key Theft, Wormable RCE, Crypto Theft
 Re: Defense in depth -- the Microsoft way (part 93): SRP/SAFERwhitelisting goes black on Windows 11
 Re: [FD]: "Glass Cage" – Zero-Click iMessage ? Persistent iOS Compromise + Bricking (CVE-2025-24085 / 24201, CNVD-2025-07885)
 Re: [FD]Full Disclosure: CVE-2025-31200 & CVE-2025-31201 – 0-Click iMessage Chain ? Secure Enclave Key Theft, Wormable RCE, Crypto Theft
 Samtools v1.22.1 Uncontrolled Memory Allocation from Large BED Intervals Causes Denial-of-Service in Samtools/HTSlib
 Samtools v1.22.1 Improper Handling of Excessive Histogram Bin Counts in Samtools Coverage Leads to Stack Overflow
 
 |  |  |  |  |  | 
  
    | 
	|  |  |  |  
        
          | 
              
                | 
                    
                      | 
                          
                            | 
	| 
	
		|  |  |  
		|  | IT Security and Insecurity Portal |  |  
 
	|  | Results in Cain |  |  
	| 
	
		|  Posted: Sun Jan 18, 2009 11:06 am |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| Hanna313 |  | Active user |  |  
  |  |  |  | Joined: Dec 17, 2008 |  | Posts: 26 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| Hello, 
 Cain gave me these results about a friend of mine when i was sniffing on a network.
 
 lm hash: 020E3E793046F14E00000000000000000000000000000000
 nt hash: CCF3DD7F07AB31BBB2BB2A31D7331A52C55BE04ECF43191E
 challenge: 29738582FE12235E
 
 I got a few questions:
 
 Are the lm and nt hash not too long?
 What to do with all those 0000... in the lm hash, can this be right?
 What is a challenge?
 
 Hanna313
 |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Sun Jan 18, 2009 2:03 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| waraxe |  | Site admin |  |  
  |  |  |  | Joined: May 11, 2004 |  | Posts: 2407 |  | Location: Estonia, Tartu |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| What software did you use to get this data? It's best to use Cain for network sniffing. In this way all needed data is already imported to Cain! Right now you problem is - how to import this data to Cain, right?
 I'm doing some tests about this issue, but it takes some time.
 |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Sun Jan 18, 2009 4:33 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| Hanna313 |  | Active user |  |  
  |  |  |  | Joined: Dec 17, 2008 |  | Posts: 26 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| Thanks for your reply Waraxe 
 Yes I used Cain to get this data, but i dont know why the lm hash has all those 0000... in it and if this is okey? and if the nt hash isnt too long.
 
 So in the end can it be cracked?
 |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Sun Jan 18, 2009 6:40 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| Henderson |  | Valuable expert |  |  
  |  |  |  | Joined: Jul 11, 2008 |  | Posts: 58 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			|  	  | Hanna313 wrote: |  	  | Yes I used Cain to get this data, but i dont know why the lm hash has all those 0000... in it and if this is okey? and if the nt hash isnt too long. | 
 
 Because these are not regular LM/NTLM hashes but rather response hashes of NTLM challenge-response authentication routine. I believe the hashes you provided are derived from so called "NTLM2 Session Response". Bruteforcing it is possible but very time consuming.
 |  |  
		|  |  |  
	|  |  |  | 
 
	|  |  |  |  
	| 
	
		|  Posted: Sun Jan 18, 2009 6:47 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| waraxe |  | Site admin |  |  
  |  |  |  | Joined: May 11, 2004 |  | Posts: 2407 |  | Location: Estonia, Tartu |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| This is not NTLM v2, it's v1. V2 is using two challenges. 
 http://en.wikipedia.org/wiki/NTLM
 
 
  	  | Code: |  	  | NTLMv1
 
 NTLMv1 is a challenge-response authentication protocol. The server authenticates the client by sending an 8-byte random number, the challenge. The client performs an operation involving the challenge and a secret shared between client and server, e.g. a password. The client returns the 24-byte result of the computation. In fact, in NTLMv1 two computations are made using two different shared secrets and two 24-byte results are returned. The server verifies that the client has computed the correct result, and from this infers possession of the secret, and hence the identity of the client.
 
 The two secrets are:
 
 * the LANMAN Hash of the user's password and
 * the MD4 hash of the user's password
 
 Both these hashes produce 16-byte quantities. Five bytes of zeros are appended to obtain 21 bytes. The 21 bytes are separated in three 7 bytes quantities. Each of these 56 bit quantities is used as a key to DES encrypt the 64 bit challenge. The three encryptions of the challenge are reunited to form the 24-byte response. Both the response using the lanman hash and the MD4 hash (called the NT Hash) are returned as the response.
 
 C = 8-byte server challenge, random
 K1 | K2 | K3 = NT-Hash | 5-bytes-0
 R1 = DES(K1,C) | DES(K2,C) | DES(K3,C)
 K1 | K2 | K3 = LM-Hash | 5-bytes-0
 R2 = DES(K1,C) | DES(K2,C) | DES(K3,C)
 response = R1 | R2
 
 | 
 
 And probably LM hash is not in use (for example Vista does not use it anymore). Cain is capable of cracking such hashes, but problem is importing them to Cain. This is what i'm doing right now - experimenting  and trying to make it work in practice
  |  |  
		|  |  |  
	|  |  |  | 
 
	|  |  |  |  
	| 
	
		|  Posted: Sun Jan 18, 2009 7:10 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| Henderson |  | Valuable expert |  |  
  |  |  |  | Joined: Jul 11, 2008 |  | Posts: 58 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| It's not really NTLM v2. "NTLM2 Session Response" is an unofficial term. And it does utilize two challenges - LM response hash is in fact null-padded client challenge. 
 As for importing the data to Cain, either edit your *.LST file or press insert key while in Cain's cracker and import it from a text file.
 |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Sun Jan 18, 2009 7:54 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| waraxe |  | Site admin |  |  
  |  |  |  | Joined: May 11, 2004 |  | Posts: 2407 |  | Location: Estonia, Tartu |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| So what mode in Cain? "LM & NTLM Hashes --> NTLM Session Security Hashes"? And in what form that text file should be? Fields separated by ":"? Can you provide working example of text file, importable to Cain? I'm currently using Cain on Vista x64 and seems that Cain does not like 64-bit Windows. So I have to test my ideas on VMware and it takes some more time.
 |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Sun Jan 18, 2009 8:07 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| Henderson |  | Valuable expert |  |  
  |  |  |  | Joined: Jul 11, 2008 |  | Posts: 58 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| It would be 
 
  	  | Code: |  	  | UserName:3:29738582FE12235E:020E3E793046F14E00000000000000000000000000000000:CCF3DD7F07AB31BBB2BB2A31D7331A52C55BE04ECF43191E | 
 |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Sun Jan 18, 2009 8:39 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| waraxe |  | Site admin |  |  
  |  |  |  | Joined: May 11, 2004 |  | Posts: 2407 |  | Location: Estonia, Tartu |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| Thanks for useful information  |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Mon Jan 19, 2009 7:02 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| Hanna313 |  | Active user |  |  
  |  |  |  | Joined: Dec 17, 2008 |  | Posts: 26 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| So Waraxe, what do you think? 
 Can it be cracked? and how can it be cracked?
 |  |  
		|  |  |  
	|  |  |  | 
 
	|  |  |  |  
	| 
	
		|  Posted: Mon Jan 19, 2009 7:57 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| waraxe |  | Site admin |  |  
  |  |  |  | Joined: May 11, 2004 |  | Posts: 2407 |  | Location: Estonia, Tartu |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			|  	  | Hanna313 wrote: |  	  | So Waraxe, what do you think? 
 Can it be cracked? and how can it be cracked?
 | 
 
 Make text file as explained above, then go to Cain, navigate to "Cracker" --> "LM and NTLM Hashes"
 --> Press Insert key --> "Add NT Hashes from" pops up --> select "Import hashes from a text file" -->
 select that text file --> press Next button ==> hashes are imported
 
 Next choose right algorithm - "NTLM Session Security Hashes" and select either Dictionary or Bruteforce method.
 
 I was not successful with that hash cracking, but i'm short of free time and computing resources.
 So my suggestion is to use bruteforce and let your PC or PC-s crack it 24/7 as long as possible.
 But of course it all depends on initial plaintext password quality
 - strong NT password hashes are practically uncrackable (as for this moments state of computing technology).
 |  |  
		|  |  |  
	|  |  |  | 
 
	|  |  |  |  
	| 
	
		|  Posted: Mon Jan 19, 2009 8:04 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| Hanna313 |  | Active user |  |  
  |  |  |  | Joined: Dec 17, 2008 |  | Posts: 26 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| Can't I use LM or NTLM rainbow tables? 
 Wouldn't that be much faster?
 |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Mon Jan 19, 2009 8:36 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| waraxe |  | Site admin |  |  
  |  |  |  | Joined: May 11, 2004 |  | Posts: 2407 |  | Location: Estonia, Tartu |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| No, because of random challenge rainbow tables are not useable. |  |  
		|  |  |  
	|  |  
	| www.waraxe.us Forum Index -> All other hashes 
 
	
		| You cannot post new topics in this forum You cannot reply to topics in this forum
 You cannot edit your posts in this forum
 You cannot delete your posts in this forum
 You cannot vote in polls in this forum
 
 | All times are GMT Page 1 of 1
 
 |  |  
	|  |  
 Powered by phpBB © 2001-2008 phpBB Group
 
 
 
 
 |  |  |  |  |  |